How can we troubleshoot Security Assertion Markup Language (SAML) related issues with Adobe Experience Manager (AEM)? What information would be required to troubleshoot?
Infinite loop Issue:
Check if ds:signature is part of SAML assertion If not, This is to be done on IDP end and check the checkbox for signed Assertion
Check for nameId format in SAML response, The format should exactly match the nameId Policy format as configured in SAML Config
Check for SAML AudienceRestriction in SAML response, The value of this tag should exactly match the entity ID in SAML config
Check for saml2:conditions(NotBefore & NotOnOrAfter), Server is not in sync with ntp server.Use ntpd and force it to sync sys time (ntpdate -s pool.ntp.org). For test, change the clock tolerance to -1, this will ignore clock difference.
Check if idp do not have assertion signed. Ask idp team that response is signed and the assertion needs to be signed as per saml spec.
Check if SAML tracer output if the assertion from IDP is encrypted. If yes, Config of SAML auth handler should use the encryption checkbox
Check if SAML Certificate is in proper format:
Fetch the signature from SAML response and correct the certificate i.e. after 65th line, press enter and so on.
This can be then used to install in AEM truststore and match certificate details with IDP.
First always complete SAML setup without encryption. When this is done then enable encryption. Using this way it is easy to debug the issue
Make sure SAML login request is allowed in the filters section.If not, Update the /filter section to allow POST requests to */saml_login.
Check for change in Mod header(mod_header) on web server level in httpd.conf.It should be in below format